The European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) (together the European Supervisory authorities or ESAs) launched a public consultation on the first batch of draft regulatory and implementing technical standards under Regulation (EU) 2022/2554, the Digital Operational Resilience Act (DORA) on 19 June 2023.

DORA establishes a comprehensive regulatory framework for financial entities operating in the EU that aims at increasing the digital resilience of the financial sector against ICT-related disruptions and threats, (including cybersecurity threats), improve ICT risk management and establish an oversight framework for critical ICT third-party service providers. You can read about DORA in our blog here and listen to the podcasts here.

The ESAs’ proposals aim to ensure establishment of a harmonised legal framework for ICT risk management and incident reporting, including:

• draft regulatory technical standards (RTS) on ICT risk management framework (Articles 15 and 16(3) of DORA). This draft RTS sets out requirements to ICT policies, procedures, protocols and tools relating to ICT risk management, HR policy and access controls, incident detection and response, business continuity management, and reporting on the risk management framework. A simplified framework is proposed for certain categories of financial entities (e.g. small and not interconnected investment firms and certain payment and electronic money institutions);
• draft implementing technical standards to establish the templates for the register of information as part of the ICT risk management framework (Article 28(9) DORA). Two sets of templates are proposed for registers at an individual entity level and consolidated templates;
• draft RTS on criteria for the classification of ICT-related incidents (Article 18(3) DORA), including the classification and materiality thresholds for determining major incidents subject to reporting, criteria and thresholds for classifying cyber threats, criteria for assessing the relevance of major ICT-related incidents and information to be reported; and
• draft RTS to specify the policy on ICT services performed by ICT third-party providers (Article 28(10) DORA), covering requirements applicable to all phases of the provider management (e.g. during pre-contractual phase, contract implementation and management as well as the exit strategy and termination).

Public comments are open until 11 September 2023. The ESAs will also organise an online public hearing about the first batch of the documents on 13 July 2023. The final versions are expected to be finalised by 17 January 2024.

The ESAs plan to launch a consultation on the second batch of the documents relating to DORA in November-December 2023. The second batch will include, among others:

• guidelines on the estimation of losses caused by major ICT incidents;
• reporting details for major ICT incidents;
• specifications for the threat-led penetration testing; and
• subcontracting ICT services that support critical functions and documents relating to the oversight framework under DORA (e.g. cooperation of ESAs with competent authorities and harmonisation of oversight conditions).

The press release is available here. The introductory note, setting out the timelines for the policy development of all DORA technical standards, specifications and guidance, is available here. Information about the public hearing on 13 July 2023 is available here.